DNS, Certificates, and SSL
This document contains instructions for configuring DNS, SSL, and Ingress for RegScale in Kubernetes.
DNS, SSL, and Ingress
While this guide will not cover all the different aspects of DNS, SSL, and Ingress configuations possible, we will cover a few options and scenarios that will help you route and secure traffic to RegScale.
Option 1: Your company already has procedures in place to manage DNS, SSL Certificates, and a Ingress Service
- Obtain a full chain SSL certificate that includes the root Certificate Authority (CA), intermediate cert, and the RegScale cert
- Obtain the RegScale certificate key
- Obtain a DNS record for RegScale. i.e. RegScale.yourdomain.com
- Configure the Ingress Service to route
https://RegScale.yourdomain.com
traffic to theatlas-service
Option 2: Cloud hosted Kubernetes with a public certificate
-
Obtain a the full chain public SSL certificate i.e. RegScale.yourdomain.com
- Create a file called
atlas.crt
and copy the full chain certificate into the crt file, removing all text and any new line chars. Do not remove the-----BEGIN CERTIFICATE-----
and-----END CERTIFICATE-----
lines
- Create a file called
-
Obtain the public SSL certificate key
- Create a file called
atlas.key
and copy the private key into key file
- Create a file called
-
Convert the Atlas cert and key to base64:
-
Run the following commands:
cat atlas.crt | base64
cat atlas.key | base64
-
-
Deploy the atlas-tls-secret.yaml file to your Kubernetes cluster:
kubectl apply -f atlas-tls-secret.yaml
-
Install Nginx-Ingress - We recommend installing using Helm
-
Set the Kubernetes context where you are installing RegScale and run the following command:
helm install nginx-ingress stable/nginx-ingress --namespace atlas --default-ssl-certificate=default/atlas-tls-secret --set controller.replicaCount=1 --set controller.nodeSelector."beta\.kubernetes\.io/os"=linux --set defaultBackend.nodeSelector."beta\.kubernetes\.io/os"=linux
-
-
Wait for the LoadBalancer service to start and provide an external IP address
-
Configure DNS
-
Update the atlas-ingress.yaml file
- Replace
atlas.yourdomain.com
with your atlas URL
- Replace
-
Deploy the atlas-ingress.yaml file to your Kubernetes cluster:
kubectl apply -f atlas-ingress.yaml
-
If your domain name provider is different than your cloud provider, you will need to add the Name Servers from your cloud provider to your domain name provider.
Option 3: Cloud hosted Kubernetes with a self-signed certificate
By default, Nginx-Ingress includes a self-signed certificate called "Kubernetes Ingress Controller Fake Certificate". If you would like to replace the default self-signed certificate with your own self-signed certificate, follow the instructions below. NOTE: RegScale recommends the use of signed certificates from a trusted authority to verify authenticity and to reduce the number of browser security warnings encountered by end users.
-
Create a self-signed certificate
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout atlas.key -out atlas.crt -subj "/CN=yourdomain.com/O=yourdomain.com"
-
Upload certifcate to your cloud provider
-
Convert the Atlas cert and key to base64:
-
Run the following commands:
cat atlas.crt | base64
cat atlas.key | base64
-
-
Copy the base64 results from step 3 and update the respective fields in the atlas-tls-secret.yaml file
-
Deploy the atlas-tls-secret.yaml file to your Kubernetes cluster:
kubectl apply -f atlas-tls-secret.yaml
-
Deploy the atlas-ingress-cm.yaml file to your Kubernetes cluster:
kubectl apply -f atlas-ingress-cm.yaml
-
Install Nginx-Ingress - We recommend installing using Helm
-
Set the Kubernetes context where you are installing atlas and run the following command:
helm install nginx-ingress stable/nginx-ingress --namespace atlas --default-ssl-certificate=default/atlas-tls-secret --set controller.replicaCount=1 --set controller.nodeSelector."beta\.kubernetes\.io/os"=linux --set defaultBackend.nodeSelector."beta\.kubernetes\.io/os"=linux
-
-
Wait for the LoadBalancer service to start and provide an external IP address
-
Configure DNS
-
Update the atlas-ingress.yaml file
- Replace
atlas.yourdomain.com
with your RegScale URL
- Replace
-
Deploy the atlas-ingress.yaml file to your Kubernetes cluster:
kubectl apply -f atlas-ingress.yaml
-
If your domain name provider is different than your cloud provider, you will need to add the Name Servers from your cloud provider to your domain name provider.
Option 4: Stand-Alone
There are differences when configuring the stand alone version. See docs for configuration instructions.
Updated about 1 year ago